Search Engine Spider and User Agent Identification Forum

Comcast is taking a leadership role and making a huge step forward in the eradication of botnets.

From their press release on Oct 8, 2009:

As part of this effort, starting today in Denver, CO, Comcast will begin to trial an in-browser notification “Service Notice”, which will alert customers whose computers appear to be infected with a bot (or virus) and request that they go to the Anti-Virus Center and follow a set of instructions to assist with removing the bot from their computer and thereby prevent it from spreading to other users.

How do you see that anti-botnet approach putting the US at odds with the rest of the world?

If major ISPs in the US and elsewhere take similar steps to Comcast's, then that reduces the number of botnets working to infect users all over the world, so everyone benefits.

It's also great that first steps are being taken toward 'prevention' at the network/ISP level rather than relying on individual users to keep their machines 'bot free. Now if only we could see a similar attitude about e-mail spam!

Stopping these problems at their source would be so much better than requiring everyone on earth to run increasingly bloated and performance-draining ant-virus, anti-malware, and anti-spam applications, firewalls, etc. Many of these applications could be 'slimmed-down' if steps could be taken higher-up in the network to prevent bad stuff from propagating in the first place -- I'm certainly not advocating their elimination, but checks at the network layer could very well reduce the burden at the client level.

With 'client activity' monitoring in place, there's also the possibility to collect data needed to locate the 'command and control centers' for botnets. This may raise the perceived risk in running botnets, and if the C&C centers can be quickly shut down or blocked, it will also raise the cost of operating a botnet. So as long as steps are taken to guard ISP users' privacy (by monitoring only for 'bot-related activity and tossing out all other transaction data), it sounds good to me.

How do you see that anti-botnet approach putting the US at odds with the rest of the world?

Let me qualify I see it as putting us at odds against the countries that predominantly run the botnets, which probably brings in quite a bit of income for some places.

If you don't think the botnet herders will retaliate at some level then read what happened with Blue Frog by Blue Security [en.wikipedia.org].

Obviously there's a big difference in approach as Blue Frog was actively going after the advertisers in the spam, but cutting off someone's livelihood can invoke repercussions which Blue Frog and some seriously hardened hosting companies were ill prepared to deal with.

Buddy of mine owns a small PC Repair shop in town. Just talked to him about this matter. We are 6(comcast):2(FIOS):2(other ISPs) hood around here. His response was: Build me a new Site/Forum Please, Prety Please. He says the same people show up every 3 month for Slow Performance Checkup. Lots of students from a local colledge that rent in town as well. You wouln'd believe the MSCONFIG screen-shots he shows me once in a while.

This idea was proposed in Europe (forget which country) last year-ish. It was dropped because the ISPs would have had to access the users' computers to determine the bot-ishness, which someone decided was an illegal access of computers and could end the ISPs in court.

I would welcome such activity IF it didn't in itself degrade my computer performance. The problem is, if your machine is behind a router or firewall, how does the ISP get in?

Or are the ISPs using traffic through their service to detect bot activity? In which case there is the recent concern about traffic interception (as in phorm and nebuadd).

I'd be interested in how comcast were getting around these objections. As I said, I'm in favour - providing bot detection is as far as it goes.

On a different note, my web server gets a LOT of bad-bot traffic from comcast but I'm never sure if it's virus-related or hackers.

I don't know how well Comcast is prepared to evade a DDOS attack, but I support their decision to proceed. Otherwise, they (figuratively, we) put ourselves in an ethical quagmire such as that of ignoring blatantly-obvious child abuse because the abusive daddy, you know, might get mad at us if we said anything to anyone...

DDOS is a doubled-edged sword: Sure it disrupts (or at least inconveniences) the attacked party, but it also reveals the members of the attacking network. So attacking an entity that is already monitoring, recording, and acting upon malicious network activity might not be such a smart thing to do.

DDOS is a doubled-edged sword: Sure it disrupts (or at least inconveniences) the attacked party, but it also reveals the members of the attacking network

DDOS also reveals our weaknesses which in the case of Blue Frog and a few others turned out to be the DNS servers which was a massive problem because DDOS'ing the DNS servers knocked out all the customers, not just a single target.

It's the wrong approach: users ignore all pop-up warnings , or act on all of them. I'm not sure which is worse with all the malware that presents itself as "let us clean your PC from malware".

It's bad to showcase this to the bad guys as they'll adapt to it. And more importantly: use it against the users with fake warnings in the hopes they'll act on it.

It's too late: others have been doing better stuff for many years. The solution is to detect the infected customers and put them in a "walled garden" where they cannot do damage, but can get their problem properly fixed.

Others have been walling of their infected customers for years now. E.g. Qwest's CIPP (Customer Internet Protection Program) program launched in October 2007. [news.qwest.com...]

The Qwest program doesn't sound all that different from the Comcast version really except Comcast is a few years behind in implementation.

It does seem too little too late, Comcast is focused only on making the quickest buck and allowed these machines to be on their network far to long (hey, as long as they pay their 59/month we're happy!).

Browser popup is also entirely the wrong thing to do.. how long will it be before spyware/botnets popup similar warnings and install their own "security" software..

The only solution is to segregate machines into their own network with limited or no access until the consumer gets their crap straight.

I propose the implementation in HTTP/1.2 of a Client-Detonate server response header, in order to facilitate network clean-ups.

This would function similarly to the HCF opcode (Halt and Catch Fire) in early computer instruction sets, and to the RBT (Rewind and Break Tape) command in early magnetic storage controllers.

Comcast doesn't have to get everything perfect the first time out. They can learn from Quest's methodology or they can figure it out by themselves over time just like everyone else does -- What will you be doing today at 1:00 PM Pacific Standard Time? (Hint, it's the second Tuesday of the month in Redmond, WA).

I'm sure they're already getting feedback from security experts across the planet on the pitfalls of in-browser notification (I'm not sure where the "pop-ups" phrase came from), and may switch to a better method before deployment. Warning their customers to "type in" the address and to ignore warnings from other entities that offer clickable links (a la PayPal) for security issues will also help mitigate the potential exploits of the system.

I'd also like to point out that although there is a potential for further abuse by spoofing of ComCast's security alerts, the fact is that the client is still inside ComCast's 'firewalled network,' so these follow-on exploits can be stopped or reduced as well.

After Paying 59 for 7 years, I called last month and they droped it to 32/12 month, no contract, plus router fee. FIOS moved in couple of month ago so they are starting to feel the pinch already, at least localy.

That is not the point of this thread.

Installing ToolBars and offering Free Software(antiVirus) is not a way to go. I remember couple of years ago I was talking to one of the techs from Comcast and he said I had to install a software on all of my PCs in the network to fix the Connection Issues. Nahhhhh.

Block the PC from internet without any soft installed to monitor traffic, not like they don't know where I had my "Lo Mein" last time via my IP.

I haven't seen any mention of them requiring software to be installed, except in forum threads. As far as I can tell, they're going to be monitoring packet source and destination addresses, suspicious patterns of activity, etc. There is no need for client software in order to do those functions.

It doesn't hurt to offer free software, as long as it's from a trusted source. Given that we can assume that most of these infected users are "low-tech" people, the timing of Microsoft's release of their free "Security Essentials" --formerly know as OneCare-- is serendipitous (or perhaps even related). A free Microsoft product would be an 'easy sell' to such customers, and the 'trust issue' is moot since all infected users are most likely to be running Windows in the first place.

Jim, Blend was referring to the software requirement of Comcast to it's customers, which purchase internet access.

I had a similar requirement with another provider some seven years ago. After I threw a bloody fit when their requirement changed some settings and default options on my computer, it took tech support at least a couple of hours to lead me through the process of un-installing all the individual modules entirely.

Recently with the same provider I was required to throw another fit because the 3rd party tech support could not comprehend that I was unwilling to install additional software, which same tech had previously told me would NOT be required.

The 3rd party tech support by these providers creates the entire mess and/or lack of communication. They simply don't understand or comprehend the English language.

I woudent trust Comcast with a penny, even less with a pop-up windows saying I need an anti-virus. That's going to be the biggest PHISHING back-door ever. I can only imagine the pop-up already: "we're Comcats, and your PC is infected. PLEASE click here"

Totally ridiculous initiative.

If Comcast is so good at detecting bot traffic, why don't they block it?

I think in theory it would be a good idea but what ever they do there will be away around it. Block traffic on a certain port just set the server to listen to a different one. grep packets for a signature the programmer can just adjust it.

The big question is how will they determine what is legit traffic vs something initiated by a zombie.

A new report by UK Parliament seems to be recommending UK ISPs take action against infected machines...

"A recommendation for a voluntary code for ISPs relating to the detection of, and effective dealing with, malware infected machines in the UK. If this voluntary approach fails to yield results in a timely manner, then Ofcom should unilaterally create and impose such a code on the UK ISP industry."

If Comcast is so good at detecting bot traffic, why don't they block it?

Because it doesn't give the user a chance to protest in case of a false positive?

Regarding popups, if Comcast can detect bot traffic, then can't they also detect regular browsing traffic? And then use DNS redirection without any extra software or toolbar?

So when Comcast flags a machine and the user tries to visit a website, Comcast redirects them to a warning page about a possible trojan. The user can override this warning screen for x times or x days. After that deadline, Comcast clamps down on all traffic until the machine is clean.

How about 100,000 outgoing HTTP requests per day, all to different servers, requesting all variations on the URL-path phpMyAdmin.php? I see hundreds of these every day on just one server, and they obviously come from botnets. I can see a person logging into his PHP Admin panel 100 times in one day, or even 200 times in one day, but 100,000? -- You'd think after the first 100 tries or so, he'd at least get the filename right! Besides, a person like that should forget about PHP and seek help for "Overly-fast-typing syndrome." It's a bot.

They don't have to stop 100% of the abusive traffic, they just have to raise the cost of developing successful exploits. Do that, and the low end of the market falls out, and a majority of the abuse goes away.